topic Re: Does btool logs its usage somewhere? in Security

Does btool logs its usage somewhere?

jordanking1992 — Wed, 04 Apr 2018 13:39:19 GMT

All,

Looking at some windows logs and came across the following commands ran on two separate computers. The "--no-log" concerns me and I can't seem to find if there is a place where logs would generate when this command is ran.

Has anyone seen or know why I would be seeing this? I am the only admin for these hosts so at first glance this looks like a bad actor.

Re: Does btool logs its usage somewhere?

PowerPacked — Wed, 04 Apr 2018 21:55:06 GMT

Hi @jordanking1992

Please check the usage of the btool command.

splunkhome/bin/splunk btool "conf file prefix" list --debug --app="appname"| grep "if you want to grep something from conf file"

and also use "> /var/tmp/123.txt" to write results into text file

here is the link to splunk doc

& splunk does writes logs about btool in splunkhome/var/log/splunk/bttol.log

Thanks

Re: Does btool logs its usage somewhere?

jordanking1992 — Thu, 05 Apr 2018 12:44:02 GMT

Thanks for the information but the question is "What am I seeing in those screenshots?". I cannot find the --no-log anywhere in the documentation.

-Jordan

Re: Does btool logs its usage somewhere?

splunker12er — Thu, 05 Apr 2018 12:52:00 GMT

Can you post the full windows logs ? so to figure out why do you see these ?

Re: Does btool logs its usage somewhere?

clozach — Mon, 31 Aug 2020 18:07:30 GMT

Hi did you ever determine what the root of this was? I'm seeing the same thing in my environment and would like to understand what's going on.

Re: Does btool logs its usage somewhere?

thambisetty — Mon, 31 Aug 2020 18:44:14 GMT

Can you try running btool with —no-log option and check if that’s displaying some output?